Statement

West Texas A&M (WTAMU) University shall ensure that technical controls are in place to support the principle of Separation of Duties is implemented to prevent errors and/or fraud. Separation of Duties is achieved by disseminating the tasks and associated privileges for a specific security process among multiple users and chains of command.

This ensures no single individual or organization should be able to both perpetuate and conceal irregularities resulting in unauthorized or unintentional modification or misuse of the university’s information resources. 

Applicability

The intended audience for this control includes, but is not limited to, all information resource data/owners, management personnel, and system administrators.

Separation of duties shall be implemented such that operational information resource functions are separated to prevent a single person from harming an operational information resource or the services it provides, whether by an intentional act, omission, or accident.

Implementation

• Information resource owners or their designees are responsible for identifying and documenting processes that are susceptible to fraud.
• Information resource owners or their designees are responsible for implementing appropriate controls that ensure appropriate separation of duties within systems to prevent fraud from occurring.
• Information resource owners or their designees must maintain a list of individuals who have administrative or special access accounts for resources they control. The list must be reviewed by the information resource owner or their designee on a regular basis.
• Individuals who use administrative or special access accounts must use the account most appropriate for the work being performed, see control AC-6 Least Privilege.